I'd like to propose that we import OpenLDAP into NetBSD. Benefits: * It appears to be most common protocol for distributed user & group authentication across heterogenous systems, including Windows (Active Directory), OS X, Solaris, most Linux distributions. It has replaced NIS for most UNIX systems. * Existing tools in the tree can be compiled with LDAP support, and providing an LDAP implementation in the base distribution removes the need to provide a replacement (via pkgsrc) of said tools just to enable LDAP. These include: - AMD (for the automount maps) - BIND (to store zones in, instead of using files) - Heimdal (to store the krb5 databasee) - Postfix (various address tables) - Racoon * OpenLDAP appears to have license suitable for use by TNF code: http://www.openldap.org/software/release/license.html * OpenLDAP provides both a library for client applications to use, and a server implementation. * Can be used for username/group lookups and authentication via nsswitch nss_ldap.so and PAM pam_ldap.so modules. A common implementation is the LGPL licensed versions from http://www.padl.com/, which may or may not be suitable. A proof of concept BSD-licensed nss_ldap has been written by Tyler Retzlaff <rtr> for NetBSD. Costs: * Base gets a bit bigger. * LDAP isn't as lightweight as advertised. Proposed plan: * Import openldap 2.4.8 ("OpenLDAP release") into src/dist/openldap * Provide reachover Makefiles in the appropriate sections of the tree for the client libraries and the servers. There's a project at: http://www.netbsd.org/contrib/projects.html#ldapimport for this. I don't think that the effort would take two weeks. * Enable LDAP in the various tools that can use it. * Consider providing defaults that use LDAP over SSL. * Evaluate & import Tyler Retzlaff's nss_ldap implementation (for at least passwd and group databases). * Write (or commission) a pam_ldap implementation. Opinions ? cheers, Luke.
Description: PGP signature